VYPR
Critical severity9.8NVD Advisory· Published Jun 8, 2023· Updated Jun 17, 2026

CVE-2023-29405

CVE-2023-29405

Description

The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

40

Patches

Vulnerability mechanics

References

8

News mentions

0

No linked articles in our index yet.